The charity sector's main concern around GDPR (the data protection regulation that comes into effect on 25 May 2018) has to date concerned fundraising practices. However, with a regular flow of stories in the media about data breaches, cyber attacks and hacking it is hard for anyone to ignore cyber security issues in the current climate. As well as an enforcement priority for the regulator (the ICO), it is also a policy priority for government.
But aside from the truism that everyone needs to take individual responsibility for cyber security, how is the charity sector specifically placed with regard to this issue? Are there particular vulnerabilities facing charities? To what extent are trustees and staff in the sector well informed both about the risks and practical measures that can be taken to protect their organisations from cyber attacks?
A new research report attempts to shed some light on these issues: Cyber Security in Charities, published by the Department for Digital, Culture, Media and Sport as part of the Government's national cyber security strategy ("which aims to make the UK the safest place to live and work online"). It is the result of qualitative research undertaken by way of interviews with representatives of a range of charities (of differing size, location and focus) to explore awareness, attitudes and experiences around cyber security.
The report found some evidence that cyber security was viewed as more of an issue for businesses than for charities and that "there is still a need to raise basic awareness" of the issue among charities. There was, however, some understanding among sector interviewees of its importance – for example the fact that charities hold personal data on donors or service users and that, particularly for larger charities, they are of a size and complexity that is comparable to many businesses.
The report identifies a number of particular barriers facing charities compared with businesses when it comes to dealing with cyber security. These are: competing demands (with charities generally not considering it a business continuity issue and therefore a 'desirable' rather than 'essential' activity); gaps in trustee and staff skills (particularly among smaller and long-running charities); a strong cultural focus on cost-cutting; and the lack of central office functions.
The report also evidences a considerable breadth of responses, and notes that the extent to which charities prioritise cyber security depends on their background awareness of the issue: for example, if they have trustees with relevant private sector experience. Some participants tended to view it as a "common sense" issue (ie something that "should not require much thought or investment to get right") while others considered it an "unaffordable luxury". The latter view is a telling one.
The present law of data protection does acknowledge that what may constitute "appropriate" measures to mitigate against unlawful loss or access of personal data will depend in part on an organisation's available resources – as well as the nature and volume of data held. However, that is only part of the story. For one thing, compliance is more measurable in culture than any specific software (staff training, protocols that are easily understood, policies that are actually followed). But while cyber security may still be perceived in some quarters in terms of an expensive luxury, in truth the basic elements of password protection and encryption are so standard that – in event of an incident – tight budgets will not be credible as an excuse with the ICO.
There was a general view among the interviewees of the importance of data protection in the sector (particularly among charities that work with children, people with disabilities or the elderly and therefore deal with personal data of vulnerable groups on a regular basis). Interestingly, however, this awareness of data protection issues – no doubt driven by recent ICO charity fines for breaches of "fair processing" of supporter data – did not always translate across to a similar emphasis on cyber security (particularly among smaller charities). Furthermore, although there was "an especially strong concern about funds or personal data being stolen, as these were seen as existential threats", there was less emphasis on the risks associated with losing non-personal data (e.g. commercially confidential information), "even though others acknowledged that losing access to non-personal data would also stop their organisation from functioning".
Overall the report will hopefully serve to shine a useful light on this increasingly important issue. The Charity Commission has encouraged charities to follow the advice on its Charities Against Fraud website and to "do more to educate their staff...and ensure they dedicate enough time and resources to improving cyber security."
Although charities face a complex regulatory landscape and many competing priorities and calls on their resources, cyber security is only going to become more important and charities will inevitably need to consider how they protect themselves accordingly. GDPR will bring new mandatory reporting requirements for data security breaches – to be notified to the ICO within 72 hours (absent very good reason) – which may also mean a report to the Charity Commission and, in many cases, contacting those affected. In a sector that has faced significant data difficulties recently, security of systems could be the next flashpoint.
This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.
© Farrer & Co LLP, October 2017